CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2020-28949	High	93.0%	PEARArchive_Tar	PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.	Aug 25, 2022	KEV
CVE-2009-1151	High	93.0%	phpMyAdminphpMyAdmin	Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.	Mar 25, 2022	KEV
CVE-2012-1823	High 9.8	94.4%	PHPPHP	sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code.	Mar 25, 2022	KEVExploit
CVE-2019-11043	High	94.1%	PHPFastCGI Process Manager (FPM)	In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.	Mar 25, 2022	KEV
CVE-2018-11138	High	93.4%	QuestKACE System Management Appliance	The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.	Mar 25, 2022	KEV
CVE-2019-6340	High 8.1	94.4%	DrupalCore	In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.	Mar 25, 2022	KEVExploit
CVE-2020-9377	High	76.6%	D-LinkDIR-610 Devices	D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php.	Mar 25, 2022	KEV
CVE-2017-9841	High	94.2%	PHPUnitPHPUnit	PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.	Feb 15, 2022	KEV
CVE-2019-9082	High 8.8	94.3%	ThinkPHPThinkPHP	ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.	Nov 3, 2021	KEVExploit
CVE-2020-10221	High	91.4%	rConfigrConfig	rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability that allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter.	Nov 3, 2021	KEV
CVE-2018-20062	High	94.3%	ThinkPHPnoneCms	ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.	Nov 3, 2021	KEV
CVE-2020-17496	High	94.2%	vBulletinvBulletin	The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759.	Nov 3, 2021	KEV
CVE-2020-25213	High	94.4%	WordPressFile Manager Plugin	WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.	Nov 3, 2021	KEV
CVE-2019-16759	High 9.8	94.4%	vBulletinvBulletin	The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.	Nov 3, 2021	KEVExploit
CVE-2020-5847	High	93.5%	UnraidUnraid	Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.	Nov 3, 2021	KEV

CVE-2020-28949KEV

High

PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.

PEAREPSS 93.0%

CVE-2009-1151KEV

High

Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.

phpMyAdminEPSS 93.0%

CVE-2012-1823KEV

High

sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code.

PHPCVSS 9.8EPSS 94.4%

Exploit

CVE-2019-11043KEV

High

In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.

PHPEPSS 94.1%

CVE-2018-11138KEV

High

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.

QuestEPSS 93.4%

CVE-2019-6340KEV

High

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

DrupalCVSS 8.1EPSS 94.4%

Exploit

CVE-2020-9377KEV

High

D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php.

D-LinkEPSS 76.6%

CVE-2017-9841KEV

High

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

PHPUnitEPSS 94.2%

CVE-2019-9082KEV

High

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

ThinkPHPCVSS 8.8EPSS 94.3%

Exploit

CVE-2020-10221KEV

High

rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability that allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter.

rConfigEPSS 91.4%

CVE-2018-20062KEV

High

ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.

ThinkPHPEPSS 94.3%

CVE-2020-17496KEV

High

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759.

vBulletinEPSS 94.2%

CVE-2020-25213KEV

High

WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.

WordPressEPSS 94.4%

CVE-2019-16759KEV

High

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

vBulletinCVSS 9.8EPSS 94.4%

Exploit

CVE-2020-5847KEV

High

Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.

UnraidEPSS 93.5%

1 2